“We update technology all the time but we don’t stop and update how we think about technology.” – Flavio Aggio, CISO, World Health Organization.
Contrary to popular belief, your product is no longer the most valuable resource that your organization trades in, data is. Since the early 2000’s, data has become the tool that allows you to trigger change projects, the means of both monitoring and staying ahead of competitors and the key to continued daily operation. To this end, whilst your data may be invaluable to you, to malicious actors and cyberterrorists, it is priceless. This is what the makes the CISO & security segment within any enterprise so essential, and this is why – particularly in the current climate – they cannot afford to slip.
From Flavio Aggio of the World Health Organization to Dr Claudia Natanson of the UK Cyber Security Council here are 9 of the world’s leading CISOs and security executives on what makes an effective security division and how in 2021, the demands made of the segment are stricter than ever. Whether it is in the shifting role of the CISO, the impact of Covid-19 or our need to more adequately define our future of defense, what’s clear is that nothing less than exemplary execution from the CISO will be adequate when navigating the ongoing climate of security change.
1. The CISO & the Perfect Storm of Covid-19
For every industry there comes a moment where several major events, activities and or instances merge to detrimentally affect the path or course being taken. In 2021, we are still feeling the effects of the perfect storm that was Covid-19 and with security practitioners still trying to secure moving targets in the face of unpredictable economies, and out of a greater focus being placed on wellbeing, we must look to ask, are security practices adapting sufficiently?
As the Chair of Board of Trustees for the UK Cyber Security Council, Dr Claudia Natanson, is a world-renowned digital and cyber security transformation expert. A Financial Times recognized senior technology influencer, her experience and expertise has seen her assist many across industry sector, SME’s and FTSE 100 businesses. Speaking at both GDS’ European and US Security Digital Summits, Claudia sought to shine a light on some of the most significant issues facing security today, and how we might navigate current uncertainty to realize success on the other side.
One of the greatest issues that faces security divisions today is an ambiguity of identity. Though many senior leaders understand the best position for security in the business, many are still getting it wrong. As Claudia suggested, “security is not treated as a business function, it’s treated as a technology function”, which means that many teams are incorrectly reporting into technology teams and leaders and are consequently constrained by the aims and goals of these extraneous factors. For security to be most useful it needs to stand alone, as Claudia states, “I think that it’s time to revise the way that we practice”.
The misplacement of security can only lead to more problems down the line, not least of which is that a tech-oriented security team will be forced to focus on projects that don’t drive value. As Claudia established, “we pay a lot of attention to the systems and technology, but having said that, remember that all of the reports still say that the major cause of breaches are human error and not following process and policy.” Technology is important, but staff are ultimately the ones that will use it. To this end it’s a better use of an infosec teams time to focus on the human, to train staff to avoid risk and to follow policy to the letter.
To help our security staff to advance, we must foster a sense of community amongst them. As Claudia suggests, “the thing that I am finding a bit lacking across cyber, both from the professional and the organizational side is a lack of collaboration.” Security can provide more value to the business and its internal divisions when it is free from constraint and once we erase these barriers to progress, security will be able to collaborate and offer enterprise-wide solutions that work for all.
The truth of security – as we established above – is that, “data is the most expensive currency, if it wasn’t we wouldn’t have so many ransomware attacks,” with this in mind, it’s time to let security off the leash. It isn’t the team that exists to say no, it’s the team that says no because it’s in the organizations best interest for it do so. Ultimately, as Claudia concluded, “cybercrime is no respecter of persons,” it’s time that our plans pivoted to take this into account, giving security the influence that it deserves.
2. Preparing the CISO & Staff Post-Covid
It might sound controversial, but humans are the weakest and strongest links in Cybersecurity. We do need the technologies to identify, protect, detect, respond and recover yes, but these are not sufficient on their own, to this extent a HumanOS upgrade is required to help build the skills of our employees and enable their safe work in the day-to-day. Training and awareness are no longer enough, it’s time to fully modernize our security staff to prepare them for our uncertain future.
As CISO for the World Health Organization, Flavio Aggio spearheads global IT efforts to safeguard the confidentiality, integrity and availability of the WHO’s digital assets. His work is primarily focused on governance, risk management, policies, rules and procedures, security standards, security incident response, security operations, and staff awareness activities. Prior to joining the WHO, Flavio served as CTO for the City and County of San Francisco, a role in which he helped to develop technology solutions to modernize and protect the city from malicious intent.
Flavio began his keynote discussion by establishing a simple truth, “humans are the weakest and the strongest links in cybersecurity”. Echoing the words of Claudia Natanson in her discussion on the perfect storm, Flavio suggests that in the current climate, “a 100% safe system doesn’t exist,” and that consequently, “we need to really change the perspective.” The answer is in how we present safety and defense to our security staff as well as the wider organization.
Infosec staff are under greater pressure to achieve than ever and truly, it’s never been more difficult to be an effective cybersecurity team; a matter which has only been exasperated by the ongoing constraints of remote work. However, we should not sugarcoat the matter when speaking with staff, as Flavio suggests, the best way to combat the threat is via preparedness and by being realistic, as he purports, “all organizations should assume that inside of their organization, inside of their datacenters or inside of their network, there’s no safe place.”
Though this may seem fatalistic at first, this is the reality that security faces each day and staff will quickly align to the honesty of the attitude. Once your staff are au fait with this priority, they will be better able to support internal projects. For example, Flavio stressed that it is essential that you “have an active policy in governance because without one, you will not be able to sustain your program or staff.” Also, he stated that total technological coverage does not exist, instead, “systems need to be updated continuously by staff, by doing that you diminish the possibility of attacks”.
Flavio believes in preparedness first and foremost and, in line with this, his closing recommendation is that organizations “build a red and blue team inside of the organization so that you can have the offensive and defensive approaches that help you to anticipate what hackers can do.” By encouraging staff into positions of greater versatility, you can prepare your organization for threats of every variety, in doing so, you will help enable the security staff of the future.
3. The CISO & Future Threat Detection
Threat detection & response – as well as security operations in general – have evolved significantly in recent years, even since the beginning of 2020. New trends, practices, and technologies have taken over, and in their wake, they’ve replaced what we previously considered immutable priorities for security ops in the day-to-day. This formed the basis of conversations with Ariel Lemelson, Head of Cyber Detection & Response for Booking.com, who was keen to explore the paradigm shifts we’ve recently experienced in this space.
In his role at Booking.com Ariel oversees engineering, product management and strategic project delivery, whilst taking care of the group’s overarching security operation requirements. Additionally he helps to manage people, processes, technology, budget and services offered to the business, as well as also serving as Group Product Manager for the Cyber Detection & Response organization.
Detecting and responding to threats is a critical component in the day-to-day responsibilities of the security team, and it’s a space currently racked with uncertainty; according to Ariel, “modern threat detection and response has changed quite dramatically over the last few years. It’s gone from let’s cover everything to let’s focus on what’s important. We need to separate our approach into a philosophy change and also a technical change.” In regard to philosophy change, this will involve dropping the illusion of hermetic coverage, whilst technical will see us continually updating our tech. This two-pronged approach will prove critical in separating the noise from the must-haves when tackling threats.
What does a successful threat detection and response system look like though? More importantly, what might the future model look like? According to Ariel, “the three main components for an effective threat detection and response program, are observability, detection and response and we need to define our processes, technologies and people across each of these three factors”. It is obviously critical that your threat management process is mapped along the threat management lifecycle, but as Ariel suggests this will prove useless if these are not viewed through the lens of processes, technologies & people, ergo the factors affecting their use in the day-to-day.
The future of threat detection and response is about balancing priority as, in the end, “it is impossible to stop all attacks before they actually land. Instead, “we need to focus on the things that the business needs to cover first but accept that not everything will be covered in terms of detection and response.” It’s fair to say then, that the future of threat detection will be more focused than holistic, seeing security staff move to defend the most vulnerable or high value targets to protect the business, as ultimately, “we are in a cat and mouse game with the attacker, we have to catch them before they get to their destination”.
4. The CISO & Assembling a Security Culture
As a direct consequence of rolling lockdowns and a workforce at arms length, the opportunities to institute a positive security culture have been made sparser than ever. For some organizations however, the lapse in business-as-usual served as an opportunity to pause and catch their breath, these businesses have sought to play their best with the hand that was dealt, rigging their efforts to match the needs of the new work environment beyond COVID-19. Storebrand is one such company.
Magnus Solberg works as VP, Head of Security Governance for Storebrand and in his role he has particular responsibility for Storebrand’s security culture program and any corporate security governance requirements that the group might have. In particular, he is looking to tackle InfoSec threats in the digital age via his a holistic approach which sees information security begin and end with people.
Culture has become increasingly difficult to define in recent memory, not only in the security space but across industries and enterprises worldwide. It’s not difficult to see why. Culture isn’t just down to holding regular conversations with staff; as Magnus stresses, “building a security culture, or any culture really, requires constant maintenance and continuous effort,” something that has become continually more difficult to provide since 2020. For Magnus however, culture has found a new role, asserting than in 2021, culture is the best “way of simply making employees not feel stranded.”
How do we look to construct a strong sense of culture to support these employees though? According to Magnus, “building a strong security culture is about being culturally sensitive,” and understanding that each employee is different. Unfortunately, there is no unified approach to culture, and as Magnus inferred, “cultural sensitivities, or even the way people learn or the way they accept your ‘quote, unquote’ message, varies highly from country to country, even within countries.” It seems then, that culture is far easier to institute within individual teams and this is where CISOs come in.
It all comes down to leadership and as Magnus suggests, “strong and visible leadership that clearly shows that they care about, and are committed to a positive security culture in the company, is absolutely key,” once they have established a positive security culture within the team, it is far easier to help it to radiate out into the wider organization. As with most things that positive culture is born out of a simple solution, “what people appreciate most is being positively acknowledged”, once you begin to acknowledge the efforts of your team you can begin – as Magnus puts it – to “shape your colleagues into a critical mass of individual risk managers”.
5. Streamlining Standardization with the CISO
Once you have established a tangible security culture, your organization will be well placed to implement overarching change at pace. After all, if your workers understand your culture, they will better understand why the wider business needs to change, and few innovations are needed more at this time than an efficient standardization of security process across geography and projects. increasingly, we are seeing companies come to rely on a common, global standard in order to set their teams and enterprise up for the future of work, Glen Hymers is an executive in support of this.
Glen Hymers, the previous Global CISO & Head of Data Protection for Save the Children and now Head of Data Privacy and Compliance for the UK cabinet office is particularly invested in this topic, and it formed the focus of his talk at GDS’ Security Digital summit earlier this year. A security specialist with over 20 years of experience, he discussed the importance of a global defense standard and how he took Save the Children on its journey from federated to future-proofed.
In Glen’s eyes, “the future of cybersecurity will be made up of three things. One, professionalization. Two, addressing the gap, e.g. by not looking for unicorns for entry-level roles. Third, the sharing of intelligence and working together more closely.” Standardization will be a pivotal part in helping businesses to deliver this future, as by creating a comprehensible global security standard, there can be no doubt as to what role the security division plays. The question becomes not ‘how do you help?’ but ‘how can we help you do more?’.
Evidently, setting a common standard for processes helps everyone in security to align to the needs of the wider organization and puts it in a better position to, “understand the business, understand what it is that it wants to achieve, and be that enabler.” Standardization is not only valuable just because it lays out the day-to-day function of the security team though but because it also reinforces it’s position in the organization to align with culture, as Glen puts it, “security is not here to say no, security is here to say ‘you probably shouldn’t have done that, but if we do this, it will work.’” Standardization will help to sell this concept across the enterprise.
Similar to culture, effective standardization will always be leadership-led first and in line with what makes a peerless CISO in 2021, Glen closed with an anecdote, “I received a note from one of my team members recently and it said, “thanks for being the brains of the boardroom, the arms of the policy and process and the legs of the team to move it forward. It’s a great way to describe a CISO.”
6. The Next Generation of CISO Leadership
Whether it’s supporting a permanent remote workforce whilst accelerating digital transformation or preparing for an expanded threat landscape – it’s essential that security executives have the right infrastructure and people in place to face the challenges of a post-COVID world. CISO’s have no doubt proven integral to business survival since the onset of the pandemic but it’s time to assess the qualities that will come to define the security leader of the future.
This formed the focus of the conversation between Jeffrey Moore, Chief Product Security Officer for Draeger, Anne Coulombe, Head of Data Protection at MassMutual, Wanda Jones-Heath, CISO for the US Air Force and Sujeet Bambawale, CISO at 7-Eleven. What became clear from their discussion? Though the theme of leadership was referenced consistently throughout the security summit, the ideas surrounding it differ drastically.
For Wanda at the US Air Force, security leaders must demonstrate confidence, “I want the folks who are not afraid to have the conversations, that are not afraid to push the status quo, that want to be in a particular job and give it 100%.” On the other hand, for Anne at MassMutual, it was important that the security leaders take this courage and use it to empower the group, stating that “it’s flexibility, it’s geography and it’s also understanding the different cultures involved in the entire group,” that make the best leaders.
This dovetails neatly into Jeffrey’s focus on people, who, via his work at Draeger has found that he is, “a big believer in retaining and upskilling teams”, adding that leaders must acknowledge that, “the important part is to make sure that the inherent knowledge within the organization about its operations and its people can shift as needed.” Sujeet, from 7-Eleven agreed, stating that “I believe that security leaders should incentivize security training and formal development in equal measure.”
If there is one single factor that the executives highlighted as pivotal in the modern CISO however, it is their proclivity towards diversity, as Sujeet put it, “security, as a discipline, benefits most from diversity of thought and diversity of background”. Anne acquiesced to this point, outlining that “diversity means many things to many individuals, but at the foundation it means that you’re looking for people who don’t have the exact same life experience, which means that they can think differently”.
What became clear from the panel is that there is no single defining feature for the modern CISO or leader in security. Instead, we must make efforts to ensure that security leaders of the future are more human, more global and more open than they have ever been before, only in doing so can they tangibly deliver safe and secure workplaces both now and in future.
Post-Summit Reporting – Security Digital Summit 2021
GDS’ Security Digital summits bring renowned senior security executives together to connect and provide insights. If you are a leader in the space, don’t miss out on the opportunity to engage with other Chief Executive, VP and Director-level Leaders who are driving change both now and into the future.
Not simply comprised of the keynotes we host, summits also provide interactive Q&A and polls as well as breakout sessions, roundtables and 1-1 business meetings with executives. Across each of these, we asked leading Security executives and providers about their top spending focuses and at what stage in the process they were in implementing these transformation initiatives, the results of which can be seen below:
For the most part, executive spending on security transformation initiatives receive a fairly evenly investment, but In spite of this, adaptive security narrowly edged out the competition as the current priority for leaders in the space. It’s not difficult to see why either; in times of great uncertainty, the ability to adapt quickly to change has become paramount, so much so that no executive is willing to ignore its potential.
This goes back to what Ariel Lemelson and Flavio Aggio discussed above, suggesting that we must accept that there is no such thing as a 100% secure system. Instead, we must look to fill the gaps where we can. Adaptive security tools will help us to more readily cater to this intention and it’s for this reason that we’re seeing so many executives entertain the option.
HR NA April 2021 – In Review
2020 was the year of the cyber pandemic. There is no business, group or individual that was not ultimately affected by its influence, and this has caused us to think about security, both personally and in the business, differently. 2020 forced the security function of all organizations to be reactive rather than innovative, but in 2021, we’re looking to rectify that lapse, and as we’ve seen throughout this article and at the GDS Security summits, we’re already well underway to protect ourselves from future threats and achieving this goal.
Leadership, collaboration, post-Covid growth. These are the areas in which senior security executives are having to invest the majority of their time and around which the attendees concurred most across GDS’ Security EU & NA Summits. The future of security will be won and lost on a company’s ability to provide solutions which cater to these key themes; the only real way that security can drive these changes however, is if the wider organization allows them to do so. Security and the CISO need to be let off the leash if they are to continue to deliver powerful change, anything less will prove inadequate.
GDS Summits are tailored 3-day virtual event conferences that bring together business leaders and solution providers to accelerate sales cycles, industry conversations and outcomes. Regarding the Security Summit, 75% of Delegates said the Digital Summit provided them with actionable outcomes to support their current initiatives and 88% of Sponsors said that they would be interested in sponsoring future events.
For more, click here to hear from attendees on how GDS has helped them to achieve their business outcomes.
Continue the debate at GDS’ Security Digital Summits where we bring together senior security executives who are actively seeking to share, learn, engage, and find the best solutions.